Hi,
On 04/11/2025 18:08, Fabian Grünbichler wrote:
2) security infrastructure issues
AFAIU, but my understanding here is very limited as I am neither part of DSA
nor the security team:
- the security archive/builders/dak instance are running inside VMs with not
enough space for a full archive, which means no binNMU support
This is #823820, also discussed in [1] (thread continues in March 2024 and July
2025).
- there is no support for building sets of interdependent uploads without
releasing them (which would be required for embargoed issues to first upload
a fixed crate package, then rebuild everything linking it, then release all
the packages together)
I actually believe that is supported. Builds in security use other unreleased
builds. They are not a 'set', so unrelated security updates will also use every
unreleased update available.
this part is probably only solvable by or with involvement of the security team
and DSA, for obvious reasons.
3) lack of source NMUs
there are no source NMUs, so any affected source package that builds an
arch:all package and also happens to link the problematic source statically
needs a real, sourceful upload, which scales a lot worse if the number of such
packages is higher than a handful.
I'm also not sure what's the relevance in this. Usually packages statically
linking other libraries will be arch:any.
Cheers,
Emilio
